The Associated Press reports on a recent security incident at Sabre Corp., showing yet again that IT companies need to be worried about third-party cyber liability – a potential source of lawsuits for IT consultants and service providers.
Sabre provides data solutions, online commerce, and web services for the travel industry. Its clients include hotels and airlines, notably American Airlines. Unfortunately for Sabre, there have been reports that its systems have been compromised. The company…
- Is conducting an investigation to see what data, if any, has been breached.
- Does not know yet if the incident has compromised protected information.
Why does this matter for you? IT companies can be liable for the security of their clients' data. If there are flaws in your work or in web services you recommend for clients, you could be sued for a related security breach.
What Is Third-Party Cyber Liability?
If you're reading up on Sabre's potential data breach, you may have come across articles claiming American Airlines' customers got hacked or that American Airlines itself was breached. That's not the case. The company that was attacked was the middleman – Sabre Corp. – an IT service provider.
In "Web Developer Settles with Insurer, Showing How Expensive Lawsuits Are," we covered a similar case. A bank's data was compromised because of a flaw in the work of the web design company that built its website.
Stories like these are prime examples of third-party cyber liability. Here's a breakdown:
- IT-related issues cause problems for your clients.
- Your client's data is exposed.
- And because you installed, built, or recommended the faulty IT, you can be sued.
You're liable for a third party's (your client's) data security. Check out "Third-Party Cyber Risk: What Every IT Business Should Know" for a more in-depth explanation.
4 Reasons IT Consultants Are at Risk of Cyber Liability Lawsuits
As noted, Sabre isn't aware of any stolen sensitive information (e.g., credit card data). Even if the compromised information didn't include financial data, here are four reasons the company can still face trouble:
- As we reported in "Seventh Circuit Ruling Could Open IT Businesses to More E&O Lawsuits," a federal appeals court ruled that consumers can sue even if they aren't victims of identity theft. Data loss may increase the likelihood they could be victims in the future, and courts ruled that this increased risk was enough to warrant a lawsuit.
- Lawsuits are becoming more common after data breaches (see "More Lawyers Willing to Sue after Data Breaches"). If sued, Sabre's IT will come under scrutiny. If lawyers can find signs the company didn't follow best practices, Sabre could be held liable and lose a lawsuit.
- The security incident may have damaged the reputation of the travel companies that host their services through Sabre. A damaged ecommerce reputation may be more than enough reason for these companies to sue.
- Sabre could be liable for the security incident even if the flaw that cyber criminals exploited was due to a problem with software or services provided by another company. Lawyers can point to flaws in how you acquire and integrate IT. Even if you don't write the code yourself, you can be sued.
It's important to clarify: with IT liability, it doesn't really matter whether or not you're to blame. What matters is whether or not a client thinks you could be to blame.
Win or lose, lawsuits can be costly. This is part of the reason why it's become important for IT consultants and service providers to have Errors and Omissions Insurance. Third-party coverage can be included with your E&O, but that's not always the case. For this reason, it's smart to work with insurance providers that know tech liability and can make sure your coverage matches your cyber risks.